Re: [Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization
"Matthew D. Hardeman" <mhardeman@ipifony.com> Fri, 12 January 2018 16:39 UTC
Return-Path: <mhardeman@ipifony.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98EC012E8AA for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:39:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLpBocjWSIJw for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:39:01 -0800 (PST)
Received: from mail.ipifony.com (mail.ipifony.com [199.71.210.39]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE4EB12420B for <acme@ietf.org>; Fri, 12 Jan 2018 08:39:00 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ipifony.com (Postfix) with ESMTP id 6C2C0B40911; Fri, 12 Jan 2018 10:39:00 -0600 (CST)
X-Virus-Scanned: amavisd-new at ipifony.com
Received: from mail.ipifony.com ([127.0.0.1]) by localhost (mail.ipifony.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qvf7XaWrmHCA; Fri, 12 Jan 2018 10:38:59 -0600 (CST)
Received: from [10.47.52.51] (68-117-162-146.dhcp.unas.al.charter.com [68.117.162.146]) by mail.ipifony.com (Postfix) with ESMTPSA id B20A2B408C7; Fri, 12 Jan 2018 10:38:59 -0600 (CST)
From: "Matthew D. Hardeman" <mhardeman@ipifony.com>
Message-Id: <FEF9ED51-4C03-42D7-8E52-2ABCCBBFB940@ipifony.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A70832EB-2AD1-4472-B7DC-B168AE6B7858"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Fri, 12 Jan 2018 10:38:58 -0600
In-Reply-To: <82A5A77C-4ACA-4051-B9E7-952A726096C6@ipifony.com>
Cc: acme@ietf.org
To: "Gerd v. Egidy" <gerd.von.egidy@intra2net.com>
References: <1812883.r3FRolLa0t@thunder.m.i2n> <6BFE35AF-898A-4C0E-9780-C9178FF1D381@ipifony.com> <2324058.FQg2fvf6N7@thunder.m.i2n> <82A5A77C-4ACA-4051-B9E7-952A726096C6@ipifony.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TJQt4ND3WhTeSCOJMrFez8PbfCg>
Subject: Re: [Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 16:39:02 -0000
Not that I think that’s a sane or normal thing to do. But apparently it’s a thing people are doing. I didn’t know about it either until I saw this twitter post and did a little research on it. https://twitter.com/eey0re/status/951622012211900416 > On Jan 12, 2018, at 10:36 AM, Matthew D. Hardeman <mhardeman@ipifony.com> wrote: > > Yes. > > But there are people forwarding that to the other service port so their application only has one real listener and then that non HTTP TLS server still manages to complete the TLS-SNI challenge (via port 443). > >> On Jan 12, 2018, at 10:33 AM, Gerd v. Egidy <gerd.von.egidy@intra2net.com> wrote: >> >>> I did want to say that if an acceptable mechanism is found in this manner, >>> it does help with some but not all in-band TLS validation mechanisms. It >>> works for web server cases. It does not fully replace the mechanisms of >>> the TLS-SNI sort because it would not work for other protocols running over >>> TLS (like SMTP/TLS). The TLS-SNI mechanisms do facilitate that. >> >> Really? Isn't TLS-SNI-01/-02 just allowed over TCP port 443? >> >> "This connection MUST be sent to TCP port 443 on the TLS server" >> > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Alternative proposal for fixing TLS-SNI / … Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara